You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/content/concepts/authorization/authorizers.md
+34-9Lines changed: 34 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -125,6 +125,12 @@ roleRef:
125
125
name: cluster-admin
126
126
```
127
127
128
+
##### Cross-Workspace
129
+
130
+
Users from other workspaces can be authorized to peform actions using RBAC, e.g. to `bind` and APIExport.
131
+
132
+
###### Service Accounts
133
+
128
134
A service-account defined in a workspace implicitly is granted access to it.
129
135
130
136
A service-account defined in a different workspace is NOT given access to it.
@@ -136,6 +142,14 @@ A service-account defined in a different workspace is NOT given access to it.
136
142
137
143
Service accounts declared within a workspace don't have access to initializing workspaces.
138
144
145
+
###### Foreign Users
146
+
147
+
Users can either be global kcp users or users that originate from a specific workspace, e.g. through an OIDC provider configured for that workspace.
148
+
149
+
Users that do not originate from the workspace the request is being made to and are not global kcp users are only visible as user `system:anonymous`
150
+
with groups `system:authenticated` and `system:cluster:<logical-cluster>`, where `<logical-cluster>` is the name of the logical cluster backing
151
+
the workspace they originated from.
152
+
139
153
#### System CRD Authorizer
140
154
141
155
This small authorizer simply prevents updates to the `status` subresource on APIExports or APIBindings. Note that this authorizer does not validate changes to the CustomResourceDefinitions themselves, but to objects from those CRDs instead.
@@ -270,13 +284,21 @@ The webhook will receive JSON-marshalled `SubjectAccessReview` objects, that (co
The extra field will contain the logical cluster _name_ (e.g. o43u2gh528rtfg721rg92), not the human-readable path. Webhooks need to resolve the name to a path themselves if necessary.
293
+
The extra field will contain the logical cluster _name_ (e.g. o43u2gh528rtfg721rg92), not the human-readable path. Webhooks need to resolve the name to a path themselves if necessary.
294
+
295
+
!!! note
296
+
In the past the cluster name was provided in the `authorization.kubernetes.io/cluster-name` extra field instead of `authorization.kcp.io/cluster-name`.
297
+
This field is deprecated as of kcp v0.28.3 and will be removed in a future release.
298
+
299
+
!!! note
300
+
Request payloads can also contain the `authentication.kcp.io/cluster-name` and `authentication.kcp.io/scopes` extra fields if the user originates from the workspace the request is made against.
301
+
If the users authenticated against another workspace than the target of the request these fields will not be present - instead the user will be seen as `system:anonymous` with groups `system:authenticated` and `system:cluster:<logical-cluster>`, where `<logical-cluster>` is the name of the logical cluster backing the workspace they authenticated against.
280
302
281
303
### Authorizer Order
282
304
@@ -310,8 +332,8 @@ extra:
310
332
- cluster:logical-cluster-1
311
333
```
312
334
This user will only be allowed to access resources in `logical-cluster-1`,
313
-
falling back to be considered as user `system:anonymous` with group
314
-
`system:authenticated`in all other logical clusters.
335
+
falling back to be considered as user `system:anonymous` with groups
336
+
`system:authenticated`and `system:cluster:logical-cluster-1` in all other logical clusters.
315
337
316
338
Each extra field can contain multiple scopes, separated by a comma:
0 commit comments